the law says that "overcoming" security measures is a crime. nothing was "overcome".
plaintext is simply not a "security measure" and the law was applied wrong.
there may have been some form of infringement in regards to privacy or sensitive data or whatever, but it definitely wasn't "hacking" of any kind.
just like it isn't "hacking" to browse someone's computer files when they leave a device unlocked and accessible to anyone. invasion of privacy? sure. but not hacking.
and the law as written (§202a StGB) definitely states that security measures have to be circumvented in order to be applied.
that's the problem with the case!
not that the guy overstepped his bounds, but that the law was applied blatantly wrong and no due diligence was used in determining the outcome of the case.